Certbot not generating certificates

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: connekted.pagekite.me

I ran this command: certbot certonly --standalone -d connekted.pagekite.me

It produced this output:

FB_IMG_1686387237704
FB_IMG_16863872377041080×229 29.7 KB

My web server is (include version):
Nginx 1.25
The operating system my web server runs on is (include version): windows 11

My hosting provider, if applicable, is:
Pagekite
I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.60

Hi everyone
I am facing some issues while generating certificates.

Originally the web site is hosted node red the reverse proxy from nginx. And exposed to internet via pagekite.

But sadly the certificate is not getting generated.please help.

2

Additionally if i use --nginx it would say plugin not found..the pip install certbot-nginx didnt work for me there

3

If you use the standalone mode you need to free up port 80 first by stopping nginx.

You could use the webroot mode which writes the challenge files out into the directory structure of your website, so your website can serve the challenge response via nginx instead.

3 Likes
4

Hi there @webpofusion, thank you for your response. I have tried to stop the nginx too. But then the pagekite won't run? Isnt it?

Btw if I go for webroot what's the input? Because I don't know how to generate it.

1 Like
5

You could use the --nginx plug-in just as the authenticator like this:

certbot certonly --nginx -d connekted.pagekite.com --dry-run

It will just get the cert like --standalone and will not change your nginx config permanently.

Your nginx server must be running before doing this Certbot command.

The --dry-run just tests the process. If it works remove the --dry-run to get a production cert.

The --webroot method also works. But, this method should work and is a little easier to setup.

I don't see your domain with a valid A and/or AAAA record anymore but once you restore that this should work.

4 Likes
6

Hello..
I am seeing same error that is the requested nginx plugin does not appear to be insalled. And try again with the pagekite site if you find the a certificates now?

Also what is the webroot method?

7

Oh, very sorry. I forgot that the --nginx (and --apache) plug-ins are not available on Windows

EDIT: The domain name in first post and here is wrong. Should end in .me not .com

certbot certonly --webroot -w (root folder) -d connekted.pagekite.com --dry-run

Replace (root folder) with the folder named by the root setting in the nginx server block for this domain.

See nginx docs for more details of the root and using folder names.

But, I still don't see the DNS records for your domain

4 Likes
8

i have used no ip website to generate cname,
Let's Debug (letsdebug.net)

it should now be available in the http-01 test
i have added the cname in the page kite too

9

But, I just noticed in the image in your first post you have connekted.pagekite.me (note it showed .me not .com)

And, your latest post showed con2ted.ddns.net which CNAMEs to the .me domain

So, never mind my comments about the .com name. That seems to be the wrong domain in your first post.

But, trying the .me domain does not reach the nginx server you describe. I don't understand how PageKite and nginx work together so I don't think I can be any help.

Your nginx server should respond with a 404 Not Found but instead is 503 Unavailable. And, the response headers don't show nginx as the server which it normally would.

nslookup con2ted.ddns.net
Non-authoritative answer:
con2ted.ddns.net        canonical name = connekted.pagekite.me.
Name:   connekted.pagekite.me
Address: 172.104.250.122

curl -i connekted.pagekite.me/.well-known/acme-challenge/Test123
HTTP/1.1 503 Unavailable
X-PageKite-UUID: 4a3445ea030bfe3e5a6902d82596a0347758ad43
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Expires: 0
Cache-Control: no-store
Connection: close

(summarized data response:)
<h1>Sorry! (fe)</h1><p>The HTTP PageKite for connekted.pagekite.me is unavailable at the moment.</p>
<p>Please try again later.</p>
3 Likes
10

you tried just when i closed it and was trying with ngrok..
yes you are right about the com and me thing

please try now,
connekted.pagekite.me/room1.html
this is the exact url and also please open the inspect console
was using free plan from no ip thats why the ddns domain

11

Yes, I now see the expected 404 Not Found from a test.

So, what does this do:

3 Likes
12

I would like to ask some inputs here again

My folder structure is like
D: Development

D:\Development\Nginx>nginx 1.25>html
D:\Development\pagekite
D:\Development\Certbot

Node red C:\Users\shariq.node-red thats the actual server, nginx is the reverse proxy
now im confused whats the root folder? getting my confusion now?

13

Can you show us the nginx server block you setup for this domain name? It should have a listen setting for port 80 to handle HTTP requests. In that server block should be a root setting for a folder on your machine. I previously linked to nginx docs about that. Whatever this root folder is should be used in the Certbot -w value.

When you use nginx as a reverse proxy it handles the initial HTTP and HTTPS connections. There is a separate connection between it and your node server. You need a cert in nginx to handle HTTPS

3 Likes
14 
server {
  listen 80;
  server_name connekted.pagekite.me;
  #"192.168.0.60:1880"
  
  index  house.html;
  
   location /.well-known/acme-challenge/ {
    root /acme;
    }
  
  location /house {
   proxy_pass http://192.168.0.60:1880/house;
   root   /html;
   #index.html index.htm;
   proxy_redirect http://192.168.0.60:1880/house http://$host/house;
   
   proxy_set_header Host $host;
   ##added recently
   proxy_set_header Referer $http_referer;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header X-Forwarded-Proto $scheme;
   
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
	
   location /room1.html {
   proxy_pass http://192.168.0.60:1880/room1.html;
   root   /html;
   index room1.html;

   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   #add_header Access-Control-Allow-Origin  *;
   #add_header Access-Control-Allow-Private-Network "true";
   }
   
   location /room2.html {
   proxy_pass http://192.168.0.60:1880/room2.html;
   root   /html;
   index room2.html;

   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   location /room3.html {
   proxy_pass http://192.168.0.60:1880/room3.html;
   root   /html;
   index room3.html;

   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   location /room4.html {
   proxy_pass http://192.168.0.60:1880/room4.html;
   root   /html;
   index room1=4.html;

   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   
   location /home {
   proxy_pass http://192.168.0.60:1880/home;
   root   /html;

   #index.html index.htm;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   location /home.png {
   proxy_pass http://192.168.0.60:1880/home.png;
   root   /html;

   #index.html index.htm;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   
   location /on%20switch.jpg  {
   proxy_pass http://192.168.0.60:1880/on%20switch.jpg ;
   root   /images/pictures;
   #index on switch.jpg;

   #index.html index.htm;
   #proxy_set_header Host $host;
   #proxy_set_header X-Real-IP $remote_addr;
   #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
   
   location /off%20switch.jpg {
   #proxy_pass http://192.168.0.60:1880/off%20switch.jpg ;
   root   /images/pictures;
   #index off switch.jpg;

   #index.html index.htm;
   #proxy_set_header Host $host;
   #proxy_set_header X-Real-IP $remote_addr;
   #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }
 
  }
15

The /acme folder is the one you name in the Certbot command -w value

On Windows, nginx might treat that as in indirect path and then the full path it uses is described in the nginx docs below. You might want to use an explicit path including a drive letter also shown in those docs

http://nginx.org/en/docs/windows.html

4 Likes
16

something positive to cheer about :slight_smile:
certbot certonly --webroot -w D:\Development\Certbot\acme -d connekted.pagekite.me --dry-run

image
image1549×101 7.18 KB

Simulating a certificate request for connekted.pagekite.me
The dry run was successful.

2 Likes
17

Excellent. Re-run without --dry-run to get your cert.

Then you setup your nginx server block for https (port 443). Below is good guide. Do not use HSTS or Stapling until you fully understand what they do. They are advanced features so I de-selected them in URL below.

4 Likes
18

nopes didnt worked.
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: connekted.pagekite.me
Type: unauthorized
Detail: 172.104.250.122: Invalid response from http://connekted.pagekite.me/.well-known/acme-challenge/EBkyHEtC5yHLLU7aIRLvi9NrahtjyQ1ZKDvGdawbR8Q: 503

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

19

The 503 error happened earlier and you said:

Did you change anything between the --dry-run that worked and the request that failed?

I get a 503 error from your domain from my own test server so this is not unique to Let's Encrypt Servers

2 Likes
20

intrestingly it is working for me suddenly :stuck_out_tongue:
is it a frequent thing to observe?